The Personal Data Protection Act (PDPA) came into effect on 1 July 2014, and was developed with reference to international frameworks, namely the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) and the APEC Privacy Framework, and data protection laws of jurisdictions such as the European Union, the United Kingdom, Hong Kong, Canada, Australia and New Zealand.
In view of technological advances and global developments, such as Big Data, cybersecurity and cyberterrorism, Internet of Things and Artificial Intelligence, the Personal Data Protection Commission (PDPC) is considering other possible bases for collecting, using and disclosing personal data under the PDPA, as well as the need for mandatory data breach notifications to PDPC and affected individuals under the PDPA. The PDPC is also cognisant that there may be instances where consent is not desirable or appropriate, such as for detection of fraud or security threats.
The PDPC is therefore considering 2 main amendments to the PDPA:
- enhanced framework for the collection, use and disclosure of personal data (the “Enhanced Framework”); and
- mandatory data breach notification framework.
The context for the proposed introduction of the Enhanced Framework is the digital economy today, which has changed the nature of data collection from active interaction to a passive one where various devices collect and transmit personal data across communications networks. The growth of Internet of Things (“IoT”) devices, machine learning and artificial intelligence has given rise to the ability to collate and analyse large amounts of data, opening up new possibilities for Big Data analytics. In this context, organisations may not always be able to anticipate the purposes for using and disclosing personal data at the outset. It may not be practical for organisations to seek individuals’ consent in every instance of data collection, or to attempt to identify the individuals in order to seek their consent for every new purpose. There may also be circumstances where consent is not desirable or appropriate, such as for detection of fraud and security threats.
Notification of Purpose
Under the proposed Enhanced Framework, organisations can collect, use and disclose personal data by simply notifying the individuals of the purpose (the “Notification of Purpose”). This Notification of Purpose would be applicable only if:
(1) it is impractical to obtain consent from the individual (and deemed consent would not be applicable); and
(2) the collection, use or disclosure of the personal data is not expected to have any adverse impact on the individuals. This includes ensuring the personal data will not be used to make a decision about the individual that may have an adverse impact on the individual, or to circumvent a prior withdrawal of consent (e.g. target the individual for direct marketing after he had opted out of receiving marketing communications).
The Notification of Purpose may be one-to-one from the organisation to the individual, or one-to-many from the organisation to a group of individuals (e.g. signage at the location where personal data is collected).
Organisations will be required to conduct a risk and impact assessment, such as a data protection impact assessment (“DPIA”), and put in place measures to mitigate the risks when relying on Notification of Purpose to collect, use or disclose personal data.
- An organisation does not have the contact information of its customers but wishes to use its customers’ personal data for a new purpose of conducting analytics to develop new products and services.
- An organisation wishes to deploy recording devices or drones in high traffic situations that are likely to capture personal data.
Legal or Business Purpose
Another aspect of the proposed Enhanced Framework is that organisations may collect, use or disclose personal data without consent where it is necessary for a legal or business purpose (“Legal or Business Purpose”). Organisations need not notify individuals of the purposes when collecting, using or disclosing personal data in these circumstances. The proposed Legal or Business Purpose would be subject to the following conditions:
a) it is not desirable or appropriate to obtain consent from the individual for the purpose; and
b) the benefits to the public (or a section thereof) clearly outweigh any adverse impact or risks to the individual.
Example Scenario: a group of organisations in a particular sector needs to share information and analyse personal data of customers in order to identify and prevent potential fraudulent activities.
A risk and impact assessment, such as a DPIA, will need to be conducted to assess the risks and impact of the intended collection, use or disclosure of personal data to the individual.
Mandatory Data Breach Notification
Presently under the PDPA, there is no mandatory requirement to notify any party when a data breach has occurred. Organisations are encouraged to notify the PDPC as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.
Under the proposed mandatory data breach framework, organisations must report significant data breaches, which has to be assessed based on the following criteria:
- Risk of impact or harm to affected individuals – data breaches that pose any risk of impact or harm to the affected individuals – organisations must notify both PDPC and affected individuals. E.g., a data breach that involves personal data such as NRIC number, health information, financial information or passwords would be considered to pose a risk of impact or harm to the affected individuals.
- Significant scale of breach – Organisations must notify PDPC where the scale of the data breach is significant, even if the breach does not pose any risk of impact or harm to the affected individuals. PDPC is proposing for a data breach involving 500 or more affected individuals to be considered a significant scale that would need to be notified to the PDPC.
The proposed data breach notification requirements framework will apply concurrently with other notification requirements under other laws and sectoral regulations (e.g. Monetary Authority of Singapore (“MAS”) Notices 127 and 644 on Technology Risk Management) as follows:
- Where the organisation is required to notify a sectoral or law enforcement agency of a data breach under other written law, and that data breach meets the criteria for notifying the PDPC, it is proposed that the organisation shall notify PDPC concurrently with the sectoral regulator or law enforcement agency in accordance with the notification requirements under the other written law. The organisation may submit to the PDPC the same notification or copy the PDPC in its notification to the sectoral or law enforcement agency.
- Where the organisation is required to notify affected individuals under other written law, and that data breach meets the criteria for notifying affected individuals under the PDPA, the organisation will be considered to have fulfilled its breach notification obligations under the PDPA if it notifies the affected individuals according to the requirements under the other written law. The organisation in such a situation must also notify the PDPC of that data breach.
Where the organisation’s data intermediary (“DI”) experiences a data breach, the DI must immediately inform the organisation that it processes the personal data on behalf and for the purposes of, regardless of the risk of harm or scale of impact of the data breach. The organisation will be responsible for complying with the breach notification requirements under the PDPA.
An exception to the mandatory notification is, among others, where provisions of other written law are inconsistent with the proposed breach notification provisions under the PDPA, e.g., where other written law prohibit notification.
Another exception is to the requirement to notify affected individuals which shall apply in the following scenarios:
a) law-enforcement exception, where notification to affected individuals is likely to impede law enforcement investigations; and
b) technological protection exception, where the breached personal data is encrypted to a reasonable standard.
The PDPC proposes to require that the organisation notifies the PDPC as soon as practicable, no later than 72 hours from the time it is aware of the data breach.
Comment and Consultation Submissions
The above proposed amendments will have affect how organisations run their businesses and practise data protection. Organisations would need to review and change their internal personal data or privacy policies, manuals and standard operating processes. This would include preparing a template data protection impact assessment (DPIA) to be undertaken in the event the organisation relies on the Notification of Purpose or Legal or Business Purpose mechanisms.
As regards the mandatory data breach notification, organisations should consider what would amount to risk of impact or harm to affected individuals in their context.
The proposed changes above are currently open to comments and feedback in the public consultation. All submissions should reach PDPC by 21 September 2017. Comments should be submitted:
a) in soft copy (in Microsoft Word format);
b) to the following e-mail address: email@example.com; and
c) with the email header: “PDPC’s Public Consultation on Approaches to Managing Personal Data in the Digital Economy”.